[111239] in North American Network Operators' Group
RE: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Blake Pfankuch)
Mon Feb 2 12:59:38 2009
From: Blake Pfankuch <bpfankuch@cpgreeley.com>
To: "D'Arcy J.M. Cain" <darcy@druid.net>, "sthaug@nethelp.no"
<sthaug@nethelp.no>
Date: Mon, 2 Feb 2009 10:58:52 -0700
In-Reply-To: <20090202122025.ffa25a66.darcy@druid.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Using public IP space in general is typically just asking for trouble. I w=
orked with an "ISP" once who decided to use 192.0.0.0/24 for IP's to custom=
ers who didn't need a static ip. They did it not knowing what they were do=
ing (oh you mean 192.0.0.0/8 isnt rfc1918) but very quickly they had to cha=
nge it. In our current customer base we have run into it a few times where=
someone is using non rfc1918 space internally and propose changing it very=
quick as we have had several customers who don't know it, but need to get =
to something in that public space.
If you happen to be the funny guy who uses an IP range from some tiny forei=
gn off the wall country because "we will never need to connect to their IP =
space" remember that IP address allocations change and you won't think it's=
so funny when the company who provides your anti-virus moves their update =
servers to match your internal IP space.
> There are sometimes good reasons to do this, for instance to ensure
> uniqueness in the face of mergers and acquisitions.
If you are going to force uniqueness and one of the parties in the merger w=
as super smart in their original deployment and decided to use 10.0.0.0/8 f=
or their network of 300 machines, force them to change to something smarter=
. Remind them how layer 3 networks inside of a single building work. Even=
if a network is not publically seen, you have to keep in mind how many mac=
hines see it while they might see a public network. A specific customer ha=
d a 216.xx.xx.0/24 network for their private production network. Their int=
ernal router also saw it and had an ACL on who could access it. Meaning th=
eir entire staff couldn't get to their collocated webserver when their prov=
ider re addressed that floor in the datacenter.
All rambling aside, its much easier to renumber on the front end opposed to=
ending up with VPN natting that makes you cry on the inside. Think of the=
person who will take over your network when you eventually leave your posi=
tion.
>This is a bit off-topic, but I thought I'd mention that this is one reason=
I recommend use of the 172.16/12 block to people building
>or renumbering enterprise networks. Most people seem to use 10/8 in large =
organizations and 192.168/16 in smaller ones, so it raises
>your chances of not having to get into heavy natting down the road. My the=
ory on this is that most people who don't deal with CIDR on
>a daily basis find the /12 netmask a bit confusing and just avoid the bloc=
k at all.
Also a good point. Most of "support engineers" I run into think that 172.2=
4.0.0 is public IP space.
-----Original Message-----
From: D'Arcy J.M. Cain [mailto:darcy@druid.net]
Sent: Monday, February 02, 2009 10:20 AM
To: sthaug@nethelp.no
Cc: nanog@nanog.org
Subject: Re: Private use of non-RFC1918 IP space
On Mon, 02 Feb 2009 18:03:57 +0100 (CET)
sthaug@nethelp.no wrote:
> > What reason could you possibly have to use non RFC 1918 space on a
> > closed network? It's very bad practice - unfortunately I do see it don=
e
> > sometimes....
>
> There are sometimes good reasons to do this, for instance to ensure
> uniqueness in the face of mergers and acquisitions.
How does that help? If you are renumbering due to a merger, couldn't
you just agree on separate private space just as easily?
--
D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
